Should we get outside compliance help? Thoughts on when, why, and who

By Randall H. Cook

September 29, 2017

For most organizations, lean execution and reducing overhead are constant expectations. As a result, it is often difficult to be the one arguing in favor of spending money on outside compliance help. In our experience building an in-house compliance team, we focused on developing effective, credible, and efficient internal capabilities to improve program performance and drive down costs. But for even the most robust compliance program, there are some situations in which the best interest of the organization is to engage high-value outside resources.

This piece describes several considerations, based on our experience working in and with complex organizations, in the analysis of when outside compliance resources are the right answer. These considerations may also help justify the need for such assistance to your operational and financial colleagues, and help you choose among the menu of available capabilities. In every instance, the fundamental question is, what solution would be most effective, credible, and efficient?

How serious is the problem?

Issues that implicate knowing, widespread, and/or ongoing noncompliance or illegality need to be addressed by focused, competent capabilities. If there is risk that the issue will be disclosed to the government or become the subject of litigation, or that the company’s response may otherwise be subject to outside scrutiny, a credible, independent capability becomes more important. For example, responding to a government inquiry or mandate, addressing a significant program defect identified during an audit or self-assessment, or correcting a problem caused by an employee’s knowing misconduct are all issues for which outside assistance may be advisable. To address situations in which you know there is heightened compliance risk, you need people who have successfully resolved similar problems before. This can make the difference between a satisfactory outcome and a disastrous result.

Are your internal capabilities up to the task?

Different organizations have different levels of compliance capability. You should be clear-eyed about your own organization’s strengths and opportunities. If you have a lean organization that is tailored to address solely recurring issues, recognize that reality. Similarly, some tasks present peculiar capability or design challenges that are best addressed by specialized resources. You are not doing yourself or your organization any favors if you task an internal resource to resolve an issue that your company cannot address credibly or in a timely manner, especially if the effort causes neglect of that person’s or team’s principal responsibilities. Addressing recently identified, but historical violations and compliance problems; designing and implementing new system or process enhancements, such as data-based program performance measures; and integrating new product, program, business lines, or joint ventures are the kinds of issues that may exceed the capacity of internal resources, and lend themselves to outside help. Keep in mind that a hybrid approach may be a good option: If your internal capabilities are not seasoned in a particular compliance task, engaging expert outside help to form mixed internal-external teams can be a cost-effective way to address complex initiatives while simultaneously seasoning your internal resources.

Is there a concern with independence or credibility?

If the problem implicates any considerations that may lead to an actual or perceived conflict of interest, or that would otherwise impair the credibility or objectivity of an internal resource-led solution, you should consider an outside resource. Compliance issues that particularly implicate this consideration are the direct involvement of senior enterprise or compliance leadership in the underlying scenario, or where the validity of a previous assertion or commitment is called into question. For example, determining that a new violation may be related to the company’s failure to complete a corrective action from a previous disclosure to the government may prompt the need for independent assistance. Engaging an experienced and expert third party to address a recurring or particularly problematic issue can sometimes carry additional weight with regulators, demonstrating your company’s commitment to compliance. It may also help communicate seriousness to internal constituencies, demonstrating to leadership, employees, shareholders, and customers that the company recognizes the need for objectivity. Finally, an external resource may help insulate both the internal compliance team and the organization’s leadership from the “blowback” that can accompany the resolution of a tough compliance activity.

Is the problem recurring or temporary/exceptional?

If you are addressing a compliance issue that is recurring or persistent, you should consider whether an internal resource (whether reassigned or newly staffed) may be the most appropriate approach. Conversely, a crisis, or a temporary or surge requirement, is likely to be most efficiently addressed through outside resources.

Has it been awhile since you benchmarked your program?

Periodic, objective program health reviews and self assessments are critical for both the performance and credibility of your program. The compliance environment is dynamic, and industry and regulatory best practices constantly evolve. Frequency and depth vary by industry and particular organizational circumstance, but periodic use of an outside expert can be valuable to validate the strength of your program, help identify emergent risks, and keep you abreast of evolving expectations.

Is there an outside resource that is well-suited to the task?

There are few things more frustrating than spending scarce financial and organizational capital on an outside resource that proves poorly suited to address your problem. Circling back to the fundamental question, an outside resource is worth it only if it delivers a credible, effective, and efficient solution. Clearly, there is a range of options to choose from. In general, you will want to make sure the provider has the perspective to understand your problem, and the right experience, vision, expertise, and capabilities to resolve it. Make sure the provider knows how to partner with your internal compliance and business resources. As mentioned, a provider that can integrate seamlessly into a hybrid team of internal and external resources can be a particularly high-value resource. Privilege is often a relevant consideration. Subject-matter consulting experts can be engaged through in-house or outside counsel to preserve privilege when that is desired or needed. Finally, finding a provider that understands and addresses compliance issues in the context of your business system, rather than as a discrete regulatory or transactional problem, is vital to achieving the best, most satisfying outcome.

Let’s face it, the final determination in whether to hire an outside resource is your organization’s willingness to pay for it. In general, though, framing a request as the most effective, credible, and efficient solution to a problem the enterprise needs to resolve – in order to avoid risking a compliance failure – optimizes the likelihood of securing the resources you need.